[Pki-devel] Fwd: Re: [Freeipa-users] Updating the CA certificate
Christina Fu
cfu at redhat.com
Mon Nov 5 20:59:40 UTC 2012
On 11/05/2012 11:40 AM, Rob Crittenden wrote:
> Here is the same question I asked last week, this time by someone
> planning ahead.
>
> They have an externally-signed IPA dogtag CA whose external CA expires
> soon. How do they go about renewing things? I assume they need to
> renew the external CA first. Does it make a difference if the external
> CA is rekeyed?
Unless there is a legitimate concern about key exposure, or there is a
policy regarding how long a CA signing key pair can be used, in general,
renewing a CA signing certificate with the same key pair is a much simpler.
Here is a link on how to do so:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/managing-ca-related-profiles.html
look under
2.7.3. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period
Things are a bit more complicated if a CA is "re-keyed". This is
because of the need to populate the new trust and maintain the old, the
continued support of revocation with the old, and then there is also
dual generation of CRL's etc. It's more of a hassle in a deployment,
but of course not undoable.
Christina
>
> rob
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20121105/29ee51d7/attachment.htm>
More information about the Pki-devel
mailing list